09-18-2013 12:16 PM
I am currently trying to learn the TCL Language for use on IOS. A simple script I created is below:
The script works fine on a 3750 but fails on a 6509. Any ideas ? ?
Thanks!! KEV
proc validate {args} {
foreach address $args {
set output [exec "ping $address"]
#puts $output
regexp {.*Success rate is (\d+) percent \((\d+)\/(\d+)\), round-trip min/avg/max =\s+(\d+)\/(\d+)\/(\d+)} $output COMPLETE perc sent recieved min avg max
puts "ADDRESS:\t$address"
puts "PERCENT:\t$perc"
puts "SENT:\t\t$sent"
puts "RECV:\t\t$recieved"
puts "MIN:\t\t$min"
puts "AVG:\t\t$avg"
puts "MAX:\t\t$max"
puts \n
}
}
validate172.16.35.12 172.16.3.143 192.168.4.4
LAB_3750(tcl)#validate 172.16.35.12 172.16.3.143 192.168.4.4
ADDRESS: 172.16.35.12
PERCENT: 100
SENT: 5
RECV: 5
MIN: 1
AVG: 3
MAX: 8
ADDRESS: 172.16.3.143
PERCENT: 100
SENT: 5
RECV: 5
MIN: 1
AVG: 2
MAX: 8
ADDRESS: 192.168.4.4
PERCENT: 100
SENT: 5
RECV: 5
MIN: 25
AVG: 30
MAX: 34
LAB_6509(tcl)#validate 172.16.35.12 172.16.3.143 192.168.4.4
ADDRESS: 172.16.35.12
can't read "perc": no such variable
LAB_6509(tcl)#
Solved! Go to Solution.
09-19-2013 12:07 PM
This is what I thought. Tclsh doesn't work with command authorization. EEM does, however. Your script could be updated to this to work with EEM:
::cisco::eem::event_register_none
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error $result $errorInfo
}
array set cli $result
array set arg_einfo [event_reqinfo]
cli_exec $cli(fd) "enable"
foreach aname [array names arr_einfo -regexp {arg[0-9]+}] {
set address $arr_einfo($aname)
set output [cli_exec $cli(fd) "ping $address"]
regexp {.*Success rate is (\d+) percent \((\d+)\/(\d+)\), round-trip min/avg/max =\s+(\d+)\/(\d+)\/(\d+)} $output COMPLETE perc sent recieved min avg max
puts "ADDRESS:\t$address"
puts "PERCENT:\t$perc"
puts "SENT:\t\t$sent"
puts "RECV:\t\t$recieved"
puts "MIN:\t\t$min"
puts "AVG:\t\t$avg"
puts "MAX:\t\t$max"
puts \n
}
catch {cli_close $cli(fd) $cli(tty_id)}
You register this script my copying it to disk0:/policies, then configure:
event manager directory user policy disk0:/policies
event manager policy validate.tcl
Also configure:
event manager session cli username USER
Where USER is a AAA user authorized to run the ping command.
Then run it using:
event manager run validate.tcl ADDR [ADDR] ...
09-18-2013 02:21 PM
Post the output of the ping command on the 6500. The regexp is not matching and that likely means the output is different between the two devices.
09-19-2013 05:55 AM
Below is output from the Pings on both types of gear. I am not a regex guru, but I checked it against the both Ping outputs, using RegEx Coach and it appeared to match OK, but who knows...
3750
LAB_3750#ping 172.16.35.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.35.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
6509
LAB_6509#ping 172.16.35.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.35.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
One other difference I notice between the two environments is the the 3750 drops me into a +> shell, immediatly after I paste in the script, while the 6509 seems to keep me in a (tcl) prompt. It also fails, in the same manner, if I launch it from a TFTP Server.
LAB_3750(tcl)#proc validate {args} {
+>
LAB_6509(tcl)#proc validate {args} {
LAB_6509(tcl)#
LAB_3750_CODE: 12.2(44)SE3
LAB_6509 CODE: 12.2(33)SXI4a
Thanks for the help!!
09-19-2013 08:31 AM
If you print $output on the 6509, what do you see? You might want to consider switching to EEM Tcl to give you better control over the CLI sessions.
09-19-2013 09:18 AM
This just gets more and more strange...
I enabled the "puts $output" line and executed the TCL script. On the 3750, all was well, in that it showed the Ping results. On the 6509, I got a Command Authorization Failed message. I verifeid that I have Priv 15 credentials (one would hope, in order to even run these scripts). I see error messages in the Failed Attempts in ACS, from this host, each time I executed it..I compared the AAA sections of the configs and they match.
LAB_6509(tcl)#validate 172.16.35.12
Command authorization failed.
ADDRESS: 172.16.35.12
can't read "perc": no such variable
LAB_6509(tcl)#
| |
09/19/2013,11:55:47,Author failed,,Default Group,async,,User unknown,,tty2 | |
09/19/2013,12:00:28,Author failed,,Default Group,async,,User unknown,,tty2 |
Now, I have to admit, I have yet to even look into EEM or EEMv3, but I will do so.
09-19-2013 12:07 PM
This is what I thought. Tclsh doesn't work with command authorization. EEM does, however. Your script could be updated to this to work with EEM:
::cisco::eem::event_register_none
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error $result $errorInfo
}
array set cli $result
array set arg_einfo [event_reqinfo]
cli_exec $cli(fd) "enable"
foreach aname [array names arr_einfo -regexp {arg[0-9]+}] {
set address $arr_einfo($aname)
set output [cli_exec $cli(fd) "ping $address"]
regexp {.*Success rate is (\d+) percent \((\d+)\/(\d+)\), round-trip min/avg/max =\s+(\d+)\/(\d+)\/(\d+)} $output COMPLETE perc sent recieved min avg max
puts "ADDRESS:\t$address"
puts "PERCENT:\t$perc"
puts "SENT:\t\t$sent"
puts "RECV:\t\t$recieved"
puts "MIN:\t\t$min"
puts "AVG:\t\t$avg"
puts "MAX:\t\t$max"
puts \n
}
catch {cli_close $cli(fd) $cli(tty_id)}
You register this script my copying it to disk0:/policies, then configure:
event manager directory user policy disk0:/policies
event manager policy validate.tcl
Also configure:
event manager session cli username USER
Where USER is a AAA user authorized to run the ping command.
Then run it using:
event manager run validate.tcl ADDR [ADDR] ...
09-19-2013 02:03 PM
Thanks a ton for your help!!
I still can't understand how AAA allows the script on one type of hardware and not the other (3750 vs. 6509), but that may be for another time...
I will look into this option further, especially as I come up with ideas to leverage this technology, in order to enrich the network monitoring capabilities currently in place.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide